AWS Transfer for SFTP
User Guide

Rotating SSH Keys

We recommend as a best practice for security that you rotate your SSH keys. Usually, this rotation is specified as a part of a security policy, and implemented in an automated fashion. Depending upon the level of security, for a highly sensitive communication an SSH key pair might be used only once. Doing this eliminates any risk due to stored keys.

However, it's much more common to store SSH credentials for a period of time and set an interval that doesn't place undue burden on SFTP users. A time interval of three months is common.

There are two methods used to perform SSH key rotation:

  • For a single user, you can delete the SSH public key in the console and upload a new one.

  • For multiple users, you can update existing users using the UpdateUsers API operation and a JSON data file.

To perform a key rotation for a single existing user

  1. Sign in to the AWS Management Console and open the AWS SFTP console at https://console.aws.amazon.com/transfer/.

  2. On the Servers page, choose the server that has the user whose SSH public key that you want to replace.

    That user's page opens, as show following.

  3. Choose the SSH public key (fingerprint) that you want to rotate, and then choose Delete.

  4. Confirm the deletion by entering the word delete for Confirm Deletion, and then choose Delete.

  5. Choose Add SSH public key to see the Add key screen, shown following.

    You return to the User configuration screen, and the new SSH public key that you just uploaded appears in the SSH public keys section.

To perform SSH public key rotation for multiple users, create the appropriate JSON data file and call the UpdateUser API operation.